A111Q3  IMbEfi? 


NIST  Special  Publication  500-169 


Computer  nist 

Systems   i  '^^^^^  Exccutivc  Guide  to  the 


'NST  OF  STANDARDS  &  TECH  R.I.C. 


^f\f'S-.9^'^<f^^e^Ml^MmeU>  the  o 
QC100  .U57  NO.500-169  llsg  V  ?  C  I  NIST 

Technology 


Protection  of  Information 
Resources 


Cheryl  Helsing 
Marianne  Swanson 
Mary  Anne  Todd 


NATIONAL  INSTITUTE  OF  STANDARDS  & 
_  TECHNOLOGY 

Research  Information  Center 

he  National  Institute  of  Standards  and  l^^^ll!ea^b^eta9(^^2g^8§§^^     Congress  on  March  3, 
1901.  The  Institute's  overall  goal  is  to  strengthen  and  advance  the  Nation's  science  and  technology  and 
facilitate  their  effective  application  for  public  benefit  To  this  end,  the  Institute  conducts  research  to  assure  interna- 
tional competitiveness  and  leadership  of  U.S.  industry,  science  and  technology.  NIST  work  involves  development 
and  transfer  of  measurements,  standards  and  related  science  and  technology,  in  support  of  continually  improving 
U.S.  productivity,  product  quality  and  reliability,  innovation  and  imderlying  science  and  engineering.  The  Institute's 
technical  work  is  performed  by  the  National  Measurement  Laboratory,  the  National  Engineering  Laboratory,  the 
National  Computer  Systems  Laboratory,  and  the  Institute  for  Materials  Science  and  Engineering. 

The  National  Measurement  Laboratory 


Provides  the  national  system  of  physical  and  chemical  measurement; 
coordinates  the  system  with  measurement  systems  of  other  nations 
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themes  such  as  nondestructive  evaluation  and  phase  diagram  develop- 
ment; oversees  Institute-wide  technical  programs  in  nuclear  reactor 
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Introduction 


Federal  agencies  are  becoming  increasingly  dependent  upon 
automated  information  systems  to  carry  out  their  missions. 
While  in  the  past,  executives  have  taken  a  hands-off  approach 
in  dealing  with  these  resources,  essentially  leaving  the  area  to 
the  computer  technologist,  they  are  now  recognizing  that  com- 
puters and  computer-related  problems  must  be  understood 
and  managed,  the  same  as  any  other  resource. 

The  success  of  an  information  resources  protection  program 
depends  on  the  policy  generated,  and  on  the  attitude  of 
management  toward  securing  information  on  automated  sys- 
tems. You,  the  policy  maker,  set  the  tone  and  the  emphasis  on 
how  important  a  role  information  security  will  have  within  your 
agency.  Your  primary  responsibility  is  to  set  the  information 
resource  security  policy  for  the  organization  with  the  objectives 
of  reduced  risk,  compliance  with  laws  and  regulations  and  as- 
surance of  operational  continuity,  information  integrity,  and 
confidentiaHty. 


Purpose  of  this  Guide  This  guide  is  designed  to  help  you,  the  policy  maker,  address  a 

host  of  questions  regarding  the  protection  and  safety  of  com- 
puter systems  and  data  processed  within  your  agency.  It  intro- 
duces information  systems  security  concerns,  outlines  the 
management  issues  that  must  be  addressed  by  agency  policies 
and  programs,  and  describes  essential  components  of  an  effec- 
tive implementation  process. 


The  Risks  The  proliferation  of  personal  computers,  local-area  networks, 

and  distributed  processing  has  drastically  changed  the  way  we 
manage  and  control  information  resources.  Internal  controls 
and  control  points  that  were  present  in  the  past  when  we  were 
dealing  with  manual  or  batch  processes  have  not  always  been 
replaced  with  comparable  controls  in  many  of  today's 
automated  systems.  Reliance  upon  inadequately  controlled  in- 
formation systems  can  have  serious  consequences,  including: 

•  Inability  or  impairment  of  the  agency's  ability  to  perform  its 
mission 
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Introduction  

•  Inability  to  provide  needed  services  to  the  public 

•  Waste,  loss,  misuse,  or  misappropriation  of  funds 

•  Loss  of  credibility  or  embarrassment  to  an  agency 

To  avoid  these  consequences,  a  broad  set  of  information 
security  issues  must  be  addressed  effectively  and  comprehen- 
sively. Towards  this  end,  executives  should  take  a  traditional 
risk  management  approach,  recognizing  that  risks  are  taken  in 
the  day-to-day  management  of  an  organization,  and  that  there 
are  alternatives  to  consider  in  managing  these  risks.  Risk  is  ac- 
cepted as  part  of  doing  business  or  is  reduced  or  eliminated  by 
modifying  operations  or  by  employing  control  mechanisms. 


Executive  Responsibilities 


Set  the  Security  Policy  of  the  Protecting  information  resources  is  an  important  goal  for  all  or- 

Organization  ganizations.  This  goal  is  met  by  establishing  an  information 

resource  security  program.  It  will  require  staff,  funding  and 
positive  incentives  to  motivate  employees  to  participate  in  a 
program  to  protect  these  valuable  assets. 

This  information  resource  protection  policy  should  state 
precisely: 

•  the  value  to  the  agency  of  data  and  information  resources  and 
the  need  to  preserve  their  integrity,  availability,  and  confiden- 
tiality 

•  the  intent  of  the  organization  to  protect  the  resources  from 
accidental  or  deliberate  unauthorized  disclosure,  modifica- 
tion, or  destruction  by  employing  cost-effective  controls 

•  the  assignment  of  responsibility  for  data  security  throughout 
the  organization 

•  the  requirement  to  provide  computer  security  and  awareness 
training  to  all  employees  having  access  to  information  resour- 
ces 

•  the  intent  to  hold  employees  personally  accountable  for  in- 
formation resources  entrusted  to  them 

•  the  requirement  to  monitor  and  assess  data  security  via  inter- 
nal and  external  audit  procedures 

•  the  penalties  for  not  adhering  to  the  policy 
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Executive  Goals 


The  policy  established  for  securing  information  resources 
should  meet  the  basic  goals  of  reducing  the  risk,  complying 
with  apphcable  laws  and  regulations,  and  assuring  operational 
continuity,  integrity  and  confidentiality.  This  section  briefly 
describes  these  objectives  and  how  they  can  be  met. 


Reduce  Risk  To  An  Acceptable  The  dollars  spent  for  security  measures  to  control  or  contain 
Level  losses  should  never  be  more  than  the  projected  dollar  loss  if 

something  adverse  happened  to  the  information  resource. 
Cost-effective  security  results  when  reduction  in  risk  is 
balanced  with  the  cost  of  implementing  safeguards.  The 
greater  the  value  of  information  processed,  or  the  more  severe 
the  consequences  if  something  happens  to  it,  the  greater  the 
need  for  control  measures  to  protect  it.  It  is  important  that 
these  trade-offs  of  cost  versus  risk  reduction  be  explicitly  con- 
sidered, and  that  executives  understand  the  degree  of  risk 
remaining  after  selected  controls  are  implemented. 


Assure  Operational  Continuity        With  ever-increasing  demands  for  timely  information  and 

greater  volumes  of  information  being  processed,  availability  of 
essential  systems,  networks,  and  data  is  a  major  protection 
issue.  In  some  cases,  service  disruptions  of  just  a  few  hours  are 
unacceptable.  Agency  reliance  on  essential  computer  systems 
requires  that  advance  planning  be  done  to  allow  timely  restora- 
tion of  processing  capabilities  in  the  event  of  severe  service  dis- 
ruption. The  impact  due  to  inability  to  process  data  should  be 
assessed,  and  action  taken  to  assure  availability  of  those  sys- 
tems considered  essential  to  agency  operation. 


Comply  with  Applicable  Laws        As  the  pervasiveness  of  computer  systems  increases  and  the 
and  Regulations  risks  and  vulnerabilities  associated  with  information  systems 

become  better  understood,  the  body  of  law  and  regulations 
compelling  positive  action  to  protect  information  resources 
grows.  OMB  Circular  No.  A- 130,  "Management  of  Federal  In- 
formation Systems,"  and  Public  Law  100-235,  "Computer 
Security  Act  of  1987"  are  two  documents  where  the  knowledge 
of  these  laws  provide  a  baseline  for  an  information  resources 
security  program. 
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Executive  Goals 


Assure  Integrity  and  An  important  objective  of  an  information  resource  manage- 

Confidenticdity  ment  program  is  to  ensure  that  the  information  is  accurate.  In- 

tegrity of  information  means  you  can  trust  the  data  and  the 
processes  that  manipulate  it.  A  system  has  integrity  when  it 
provides  sufficient  accuracy  and  completeness  to  meet  the 
needs  of  the  user(s).  It  should  be  properly  designed  to 
automate  all  functional  requirements,  include  appropriate  ac- 
counting and  integrity  controls,  and  accommodate  the  full 
range  of  potential  conditions  that  might  be  encountered  in  its 
operation. 

Agency  information  should  also  be  protected  from  intruders,  as 
well  as  from  employees  with  authorized  computer  access 
privileges  who  attempt  to  perform  unauthorized  actions. 


Assured  confidentiahty  of  sensitive  data  is  often,  but  not  al- 
ways, a  requirement  of  agency  systems.  Privacy  requirements 
for  personal  information  are  generally  dictated  by  statute, 
while  protection  requirements  for  other  agency  information 
are  a  function  of  the  nature  of  that  information.  Determina- 
tion of  requirements  in  the  latter  case  is  made  by  the  official 
responsible  for  that  information.  The  impact  of  wrongful  dis- 
closure should  be  considered  in  understanding  confidentiality 
requirements. 
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Information  Protection  Program  Elements 


Need  for  Policies  and  Successful  execution  of  the  responsibilities  previously  outlined 

Procedures  requires  establishing  agency  policies  and  practices  regarding  in- 

formation protection.  The  security  policy  directive  facilitates 
consistent  protection  of  information  resources.  Supporting  pro- 
cedures are  most  effectively  implemented  with  top  manage- 
ment support,  through  a  program  focused  on  areas  of  highest 
risk.  A  compliance  assessment  process  ensures  ongoing  effec- 
tiveness of  the  information  protection  program  throughout  the 
agency. 


Scope  Although  the  protection  of  automated  information  resources  is 

emphasized  in  this  pubHcation,  protection  requirements  will 
usually  extend  to  information  on  all  forms  of  media.  Agency 
programs  should  apply  safeguards  to  all  information  requiring 
protection,  regardless  of  its  form  or  location. 

Comprehensive  information  resource  protection  procedures 
will  address:  accountability  for  information,  vulnerability  as- 
sessment, data  access,  hardware/software  control,  systems 
development,  and  operational  controls.  Protection  should  be 
afforded  throughout  the  life  cycle  of  information,  from  crea- 
tion through  ultimate  disposition. 


Accountability  for  Information       An  effective  information  resource  protection  program  iden- 
tifies the  information  used  by  the  agency  and  assigns  primary 
responsibihty  for  information  protection  to  the  managers  of 
.the  respective  functional  areas  supported  by  the  data.  These 
managers  know  the  importance  of  the  data  to  the  organization 
and  are  able  to  quantify  the  economic  consequences  of  un- 
desirable happenings.  They  are  also  able  to  detect  deficiencies 
in  data  and  know  definitively  who  must  have  access  to  the  data 
supporting  their  operations.  A  fundamental  information  protec- 
tion issue  is  assignment  of  accountability.  Information  flows 
throughout  the  organization  and  can  be  shared  by  many  in- 
dividuals. This  tends  to  blur  accountability  and  disperse 
decision-making  regarding  information  protection.  Accoun- 
tability should  be  explicitly  assigned  for  determining  and 
monitoring  security  for  appropriate  agency  information. 
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Information  Protection  Program  Elements 


When  security  violations  occur,  management  must  be  account- 
able for  responding  and  investigating.  Security  violations 
should  trigger  a  re-evaluation  of  access  authorizations,  protec- 
tion decisions,  and  control  techniques.  All  apparent  violations 
should  be  resolved;  since  absolute  protection  will  never  be 
achieved,  some  losses  are  inevitable.  It  is  important,  however, 
that  the  degree  of  risk  assumed  be  commensurate  with  the  sen- 
sitivity or  importance  of  the  information  resource  to  be 
protected. 

Vulnerability  Assessment  A  risk  assessment  program  ensures  management  that  periodic 

reviews  of  information  resources  have  considered  the  degree 
of  vulnerability  to  threats  causing  destruction,  modification,  dis- 
closure, and  delay  of  information  availability,  in  making  protec- 
tion  decisions  and  investments  in  safeguards. 

The  official  responsible  for  a  specific  information  resource 
determines  protection  requirements.  Less-sensitive,  less-essen- 
tial information  will  require  minimal  safeguards,  while  highly 
sensitive  or  critical  information  might  merit  strict  protective 
measures.  Assessment  of  vulnerability  is  essential  in  specifying 
cost-effective  safeguards;  overprotection  can  be  needlessly  cost- 
ly and  add  unacceptable  operational  overhead. 

-  Once  cost-effective  safeguards  are  selected,  residual  risk 

'         remains  and  is  accepted  by  management.  Risk  status  should  be 
periodically  re-examined  to  identify  new  threats,  vul- 
nerabilities, or  other  changes  that  affect  the  degree  of  risk  that 
management  has  previously  accepted. 

Data  Access  Access  to  information  should  be  delegated  according  to  the 

principles  of  need-to-know  and  least  possible  privilege.  For  a 
multi-user  application  system,  only  individuals  with  authorized 
need  to  view  or  use  data  are  granted  access  authority,  and  they 
are  allowed  only  the  minimum  privileges  needed  to  carry  out 
their  duties.  For  personal  computers  with  one  operator,  data 
'  should  be  protected  from  unauthorized  viewing  or  use.  It  is 

the  individual's  responsibihty  to  ensure  that  the  data  is  secure. 
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Information  Protection  Program  Elements 


Systems  Development  All  information  systems  software  should  be  developed  in  a  con- 

trolled and  systematic  manner  according  to  agency  standards. 
Agency  policy  should  require  that  appropriate  controls  for  ac- 
curacy, security,  and  availability  are  identified  during  system 
design,  approved  by  the  responsible  official,  and  implemented. 
Users  who  design  their  own  systems,  whether  on  a  personal 
computer  or  on  a  mainframe,  must  adhere  to  the  systems 
development  requirements. 

Systems  should  be  thoroughly  tested  according  to  accepted 
standards  and  moved  into  a  secure  production  environment 
through  a  controlled  process.  Adequate  documentation  should 
be  considered  an  integral  part  of  the  information  system  and 
be  completed  before  the  system  can  be  considered  ready  for 
use. 


Protection  of  hardware  and  resources  of  computer  systems  and 
networks  greatly  contributes  to  the  overall  level  of  control  and 
protection  of  information.  The  information  protection  policies 
should  provide  substantial  direction  concerning  the  manage- 
ment and  control  of  computer  hardware  and  software. 

Agency  information  should  be  protected  from  the  potentially 
destructive  impact  of  unauthorized  hardware  and  software. 
For  example,  software  "viruses"  have  been  inserted  into  com- 
puters through  games  and  apparently  useful  software  acquired 
via  public  access  bulletin  boards;  viruses  can  spread  from  sys- 
tem to  system  before  being  detected.  Also,  unauthorized 
hardware  additions  to  personal  computers  can  introduce  un- 
known dial-in  access  paths.  Accurate  records  of 
hardware/software  inventory,  configurations,  and  locations 
should  be  maintained,  and  control  mechanisms  should  provide 
assurance  that  unauthorized  changes  have  not  occurred. 

To  avoid  legal  liability,  no  unauthorized  copying  of  software 
should  be  permitted.  Agencies  should  also  address  the  issue  of 
personal  use  of  Federal  computer  systems,  giving  employees 
specific  direction  about  allowable  use  and  providing  consistent 
enforcement. 


Hardware/Software 
Configuration  Control 
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Operational  Controls  Agency  standards  should  clearly  communicate  minimum  ex- 

pected controls  to  be  present  in  all  computer  facilities,  com- 
puter operations,  input/output  handling,  network  management, 
technical  support,  and  user  liaison.  More  stringent  controls 
would  apply  to  those  areas  that  process  very  sensitive  or  critical 
information. 

Protection  of  these  areas  would  include: 

•  Security  management; 

•  Physical  security; 

•  Security  of  system/application  software  and  data; 

•  Network  security;  and 

•  Contingency  planning. 

The  final  section  of  this  guide  describes  the  organizational 
process  of  developing,  implementing,  and  managing  the  ongo- 
ing information  protection  program. 
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Information  Protection  Program 

Implementation 


In  most  cases,  agenq^  executive  management  is  not  directly  in- 
volved in  the  details  of  achieving  a  controlled  information 
processing  environment.  Instead,  executive  action  should 
focus  on  effective  planning,  implementation,  and  an  ongoing 
review  structure.  Usually,  an  explicit  group  or  organization  is 
assigned  specific  responsibility  for  providing  day-to-day 
guidance  and  direction  of  this  process.  Within  this  group  an  in- 
formation security  manager  (ISM)  should  be  identified  as  a  per- 
manent focal  point  for  information  protection  issues  within  the 
agency. 

The  ISM  must  be  thoroughly  familiar  with  the  agency  mission, 
organization,  and  operation.  The  manager  should  have  suffi- 
cient authority  to  influence  the  organization  and  have  access  to 
agency  executives  when  issues  require  escalation. 

Independence  In  determining  the  reporting  relationship  of  the  ISM,  inde- 

pendence of  functional  areas  within  the  agency  is  desirable. 
Plans  and  budget  for  the  ISM  function  should  be  approved  by 
agency  management,  rather  than  being  part  of  any  functional 
area  budget.  This  approach  avoids  conflicts  of  interest  and 
facilitates  development  and  maintenance  of  a  comprehensive 
and  consistent  protection  program  that  serves  the  needs  of 
agency  management. 

Degree  of  Centralization  The  desirability  of  centralized  versus  decentralized  security  is 

heavily  debated  and  largely  depends  on  size,  organizational 
structure,  and  management  approach  at  the  individual  agency. 
A  centralized  approach  to  security  has  the  advantages  of  being 
directly  responsive  to  executive  direction  and  specifically  ac- 
countable for  progress  and  status. 

A  decentralized  approach  to  security  has  the  advantages  of 
being  close  to  the  functional  area  involved.  In  the  long  term, 
decentralization  may  provide  better  integration  of  security  with 
other  entity  functions. 


Information  Protection 
Management 
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Information  Protection  Program  Implementation 


An  effective  combined  approach  offers  advantages.  A  small 
dedicated  resource  at  the  agency  level  can  direct  the  informa- 
tion protection  program,  while  additional  resources  are  utilized 
at  the  functional  area  level  to  implement  the  program  in  each 
area. 


Dedicated  Staff  The  common  practice  of  assigning  responsibility  for  informa- 

tion security  to  existing  staff  with  other  major  responsibilities  is 
often  unsuccessful.  At  least  one  dedicated  staff  member  is 
recommended  at  the  program  management  level. 

The  need  for  additional  full-time  resources  depends  on  the 
agency's  computer  environment.  The  number  of  information 
systems,  their  technical  complexity,  the  degree  of  networking, 
the  importance  of  information  processed,  adequacy  of  existing 
controls,  and  extent  of  agency  dependence  on  information  sys- 
tems affect  the  resources  needed. 


Implementation  Stages  Development  of  a  comprehensive  information  protection 

program  that  is  practiced  and  observed  widely  throughout  a 
Federal  agency  occurs  in  stages  and  requires  ongoing  monitor- 
ing and  maintenance  to  remain  viable. 

First,  organizational  requirements  for  information  protection 
are  identified.  Different  agencies  have  varying  levels  of  need 
for  security,  and  the  information  protection  program  should  be 
structured  to  most  effectively  meet  those  needs. 

Next,  organizational  policies  are  developed  that  provide  a 
security  architecture  for  agency  operations,  taking  into  con- 
sideration the  information  protection  program  elements  dis- 
cussed in  the  previous  section  of  this  guide.  The  policies  under- 
go normal  review  procedures,  then  are  approved  by  agency 
management  for  implementation. 

Activities  are  then  initiated  to  bring  the  agency  into  com- 
pHance  with  the  pohcies.  Depending  on  the  degree  of 
centralization,  this  might  require  development  of  further  plans 
and  budgets  within  functional  entities  of  the  agency  to  imple- 
ment the  necessary  logical  and  physical  controls. 
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Training  Training  is  a  major  activity  in  the  implementation  process. 

Security  violations  are  the  result  of  human  action,  and 
problems  can  usually  be  identified  in  their  earliest  stages  by 
people.  Developing  and  maintaining  personnel  awareness  of 
information  security  issues  can  yield  large  benefits  in  preven- 
tion and  early  detection  of  problems  and  losses. 

Target  audiences  for  this  training  are  executives  and  policy 
makers,  program  and  functional  managers,  IRM  security  and 
audit  personnel,  computer  management  and  operations,  and 
end  users.  Training  can  be  delivered  through  existing  policy 
and  procedures  manuals,  written  materials,  presentations  and 
classes,  and  audio-visual  training  programs. 

The  training  provided  should  create  an  awareness  of  risks  and 
the  importance  of  safeguards,  underscoring  the  specific  respon- 
sibilities of  each  of  the  individuals  being  trained. 


Monitoring  and  Enforcement         An  ongoing  monitoring  and  enforcement  program  assures  con- 
tinued effectiveness  of  information  protection  measures. 

Compliance  may  be  measured  in  a  number  of  ways,  including 
audits,  management  reviews  or  self-assessments,  surveys,  and 
other  informal  indicators.  A  combination  of  monitoring 
mechanisms  provides  greater  reliability  of  results. 

Variances  from  poHcy  requirements  should  be  accepted  only  in 
cases  where  the  responsible  official  has  evaluated,  docu- 
mented, and  accepted  the  risk  of  noncompHance.  Enforce- 
ment of  agency  policies  and  practices  is  important  to  the  over- 
all success  of  an  information  protection  program.  Inconsistent 
or  lax  enforcement  quickly  results  in  deterioration  of  internal 
controls  over  information  resources. 

A  positive  benefit  of  an  effective  monitoring  and  enforcement 
process  is  an  increased  understanding  of  the  degree  of  informa- 
tion-related risk  in  agency  operations.  Without  such  a  feed- 
back process,  management  unknowingly  accepts  too  much  risk. 
An  effective  information  protection  program  allows  the  agency 
to  continue  to  rely  upon  and  expand  the  use  of  information 
technology  while  maintaining  an  acceptable  level  of  risk. 
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Maintenance  As  agency  initiatives  and  operations  change,  and  as  the  com- 

puter environment  evolves,  some  elements  of  the  information 
protection  program  will  require  change  as  well.  Information 
protection  cannot  be  viewed  as  a  project  with  a  distinct  end; 
rather,  it  is  a  process  that  should  be  maintained  to  be  realistic 
and  useful  to  the  agency.  Procedures  for  review  and  update  of 
policies  and  other  program  elements  should  be  developed  and 
followed. 
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For  Additional  Information 


National  Institute  Of  Standards  and  Technology 
Computer  Security  Program  Office 
A-216  Technology 
Gaithersburg,  MD  20899 
(301)  975-5200 


For  further  information  on  the  management  of  information  resources,  NIST  pubhshes  Federal  In- 
formation Processing  Standards  PubUcations  (FIBS  PUBS).  These  publications  deal  with  many 
aspects  of  computer  security,  including  password  usage,  data  encryption,  ADP  risk  management 
and  contingency  planning,  and  computer  system  security  certification  and  accreditation.  A  list  of 
current  publications  is  available  from: 


Standards  Processing  Coordinator  (ADP) 
National  Computer  Systems  Laboratory 
National  Institute  of  Standards  and  Technology 
Technology  Building,  B-64 
Gaithersburg,  MD  20899 
Phone:  (301)  975-2817 
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